How to disable Flash in Microsoft Edge (Windows 10)

In Windows 10 you don’t need to install separately flash player like you used in previous Windows versions or browsers like IE/Chrome/Firefox. Now flash player is integrated with Microsoft Edge, the replacement of Internet Explorer.

Recently a new (yes, yet another one) vulnerability has been discovered for Adobe Flash Player. In order to update it you can’t go directly to Adobe website but rather it will updated with Windows Update.

In order to allow or block Flash on Edge you should follow the following steps:

Click the button “…” on the upper right corner of Microsoft Edge

Click on View Advanced Settings

Look for “Use Adobe Player” and click on it to change from On to Off

Remember: Flash is a buggy software. Update it but try to keep it disabled unless you really need it (most cases you won’t!).

Let’s face it, we hate to type unnecessary stuff, so if our browser can fill out information for us we’re on board!

Autofill is the feature that automatically completes form data with information you have previously entered.

However handy this might seem, it presents a huge privacy and security risk. The information that is saved in your browser – names, addresses, passwords… even credit card numbers – can be stolen through shady scammers websites and in other ways. You can read more about it here: Autofill flaw lets scammers steal credit card information

The safest option is always type the information. If you use a password manager like LastPass or KeePass copy and paste the information instead of using an autofill feature or plugin.

Disabling Autofill and Saving Passwords features in Chrome

Go to the Settings Menu Option

Click on the 3 dots button to view the menu

Click on Settings

Go to the bottom of the Settings page and click on Shows advanced settings…

Go to the section Passwords and forms and remove the checkmark on the following options. This will disable both the autofill option and the save passwords option.

Enable password encryption and create usernames and passwords

The service password-encryption allows for ahem.. the encryption of every password (enable, username passwords) on the device. Issue it if you haven’t before (you probably have, though). Also create the users who can access your device and with which privileges. In this example the user database is local.

Restricting vty lines to use only ssh (don’t allow telnet)

In configuration mode allow only incoming ssh connections with the command transport input ssh (by default lines don’t allow any connections), and indicate the authentication is taking place against the local database (the users you created before).

If you want to add a bit of extra security, you can create a list of IP addresses which are allowed to connect via ssh to the Cisco device.

The following example creates the standard access list 1 to permit traffic from the subnet 10.10.10.0 with logging enabled. A deny statement is implicit in the ACL so technically the second access-list line is not needed unless you want to log unauthorized connection attempts (Always check who’s trying to connect to your server!).

Block IP addresses after a certain number of failed attempts (optional)

Also, if you want to prevent the casual attacker you can block their IP addresses for a period of time use the command login block-for; this will prevent brute force attacks to the device.

The example below blocks for 1 hour (3600 seconds) an IP address with 5 failed login attempts within 50 seconds. Important: Choose carefully the proper times for your environment. If you select a very low fail-attempt-threshold like 2 failed login attempts within 60 seconds then you might be blocking yourself if you accidentally type a wrong password 2 times in 1 minute.

switch(config)# login block-for 3600 attempts 5 within 50

That’s it. You should be able to connect to your device via your favorite SSH client.

Flash is phasing out. Every day fewer websites run with Flash since they have replaced it with HTML5 and other formats. Why? Among other things Flash is VERY insecure. For example, there are a lot of flash ads that right now are being injected with malicious code in order to infect everybody visiting certain sites with those ads. You don’t have to click on anything, you don’t have to download a file, you’ll be infected just by getting there.

If you don’t use flash it’s best to disable it, but if you need it from time to time (certain websites and devices still only use Flash), set your browser to “Ask First” and update to the latest Adobe Flash Player Version https://get.adobe.com/es/flashplayer/.

Disabling Flash in Chrome

The easiest and fastest way to do it is typing on the location bar:

chrome://settings/content

Figure 1. Content Settings

Or if you want the long and click-y version, click on the upper right menu and click on Settings.

On the window that will appear go to the bottom and click on Advanced. More options will appear including “Content Settings”

Click on that option, it will show the same information that on Figure 1 above.

You’ll see an option for Flash, click on it.

If you want Chrome to ask before running Flash make sure your setup looks like the picture below. This picture shows that Chrome is allowing sites to run Flash but also to ask before running it on a website.

The next time a website is trying to use flash a dialog similar to this will appear:

If you want to completely disable Flash, disable Allow sites to run flash clicking on the blue button, the text now will change to Block sites from running Flash

This window also has the option to block and allow flash per website, either manually or if you selected “Ask First” it will remember your choice of Allow/Block for individual sites.

That’s it!

Disabling Flash in Firefox

Click on the menu symbol on the upper right corner and click on add-ons or on the location bar type about:addons

On the left side menu, click on Plugins Search for Shockwave Flash or Shockwave for Director (Annoyingly this was the previous name for the Flash plugin).

Here you can choose “Ask to Activate“, which in essence would make Firefox to ask to activate Flash in case a site needs it. (See Figure below). Nowadays, this would be rare, since most Flash on the Internet is in ads, not actual content, and even sites who use Flash have an alternate version without it. So you can disable Flash for good, selecting Never Activate. You will see something like this in a web page which only uses Flash.

Final Notes

My personal recommendation is to disable Flash since these vulnerabilities are recurrent.

Cookies

At this point, most people at least have heard about cookies in a non-dessert but websites sense. But what they really are and how they work remain obscure for some. So, let’s try to break it down a little.

What is a cookie?

A cookie is a data message that is stored in your Web Browser (i.e., in a file in your computer) when you visit certain websites.

Basically, you access the site and you receive the cookie that the website sent you. After that, every time you access that website, your web browser (Chrome, Firefox…), sends the cookie back to the website that created in the first place, and which it’s the only one allowed to read and modify the cookie contents.

Why do websites use cookies?

Basically, to remember you and your previous activity on the site.

Look at it this way, let’s say your name is Sam and you’re a regular in a coffee shop where you’re always served by John and you always order black coffee. Chances are the next time you go there, John greets you with a “Hi Sam, nice to have you back here, do you want the usual? Maybe you’re interested in this muffin who’s a match made in heaven for your black coffee.” Does it sound familiar?

Well, websites try to do the same thing, just in the virtual world. Cookies allow the website to greet you, the remember what products you were browsing last time you visited the site, products in a shopping cart or wish list, what your languages preferences are, and a lot of other stuff, for as long as the cookie stays in your computer.

Also, cookies are a mechanism to let the website know if you’re already logged in the site, so it doesn’t bug you asking for your password again and again (e.g. in a paid news site). These cookies are known as authentication cookies.

Can a cookie have a virus?

Not really. A cookie file is just a text file, it’s not code, so the cookie cannot perform any action by itself. Hence, a cookie is neither a virus or malware and they can’t install those in your computer either. However, cookies can be used to help malicious behavior by third-parties as it is explained below.

Can a cookie represent a threat?

They might, but not by themselves. The cookie is just a small text file which in the wrong hands may represent a privacy threat if a 3rd party has access to unauthorized information.

An attacker can use a bug/attack in your web browser to read cookies and gather information about you, your shopping patterns, the websites you access, and even the passwords you use to access those sites.The attacker can even use your cookies to impersonate yourself into a website.

ProTip: Never save a password in your browser, seriously.

Cookies can also be used to identify a computer infected with a certain malware, so this computer can be compromised or used later to participate in an attack to some other target. Again, the computer had to be infected in some other way (not by the cookie).

The privacy concern

There’s a particular type of cookie which arises controversy: The tracking cookie.

Remember your old normal cookie who only sends information to a website when you visit it? Well, now imagine you left the website with a spy at your back.

A trackingcookie will report to a website of your activities online, even if those activities had nothing to do with the website that gave you the cookie. This cookie will tell on you (like an annoying brother), what you’ve been doing, which sites have you been visiting, etc. Your information, along with the information of many others (in the thousands or even millions) will be analyzed and used – sometimes even sold- mainly for marketing purposes; personalizing the ads you see in a webpage, for example.

Facebook uses tracking cookies, in case you were wondering.

Although this is not harmful to you or your computer, you might not want to share your information with everybody. Most legitimate sites will let you opt-out being tracked and most popular web browsers have an option to send websites a “Do not track” request. However, this does not work at 100%, because some sites simply ignore your “do-not-track-me” request.

In conclusion, cookies are useful and harmless in the good hands, but in the wrong hands they could turn their back on you.

Minimizing Risks

If order to minimize the risks cookies might represent you SHOULD always have an antivirus or malware scanner up to date and regularly analyze your computer. A malware scanner should be able to detect if a cookie has information of a malicious site. I recommend MalwareBytes.

Also, you can delete the cookies from your web browser manually or configure the browser to delete cookies every time you close the web browser.

Keep in mind that if you delete the cookies, you’ll lose some of the cool personalized stuff some websites are able to show you thanks to them. So, there’s an alternate way: The EFF Privacy Badger. The EFF Privacy badger is a web browser extension (Chrome and Firefox) able to recognize which type of cookies (and spy ads) are in a website.

When you visit a site, this extension will allow the good cookies and block the bad ones (trackers and/or related to potential harmful sites). The picture below shows a visit to CNN where the Privacy Badger blocked a tracker (in red).

So you started up your (always awful) Monday with this Chrome warning and you’re panicking because your trusted extension uBlock which is supposed to protect you from evil (ads) is turning into the Devil himself.

Read and CHANGE my data? Change my privacy settings? Hell no!

Well, it turns out that it kind of always has been this way and it’s needed for the reasons cited in this link here: https://github.com/gorhill/uBlock/wiki/About-the-required-permissions

But if you need the recap (TL;DR):

uBlock, and other ad-blockers need to read your data so

They can cancel requests to the network (like the ads, right?)

To block popups

To disable the “quick loading of web pages”.. wait what? yes, so no connections are opened to unwanted sites. So, this is for your own good.